Vic public health 'highly vulnerable' to Singapore-like data breach

Victoria’s public health system is “highly vulnerable” to an attack like the one experienced in Singapore last year where 1.5 million patient health records were exfiltrated.

Victoria's Royal Children's Hospital.

An auditor-general report released Wednesday exposed widespread security weaknesses and vulnerabilities that it said left patient data at risk.

“Victoria’s public health system is highly vulnerable to the kind of cyberattacks recently experienced by the National Health Service (NHS) in England, in Singapore, and at a Melbourne‐based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services,” the auditor-general said in its report. [pdf]

“There are key weaknesses in health services’ physical security, and in their logical security, which covers password management and other user access controls.

“Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing or tailgating into corporate areas where ICT infrastructure and servers may be located.”

The audit covered Barwon Health, the Royal Children’s Hospital, the Royal Victorian Eye and Ear Hospital and two different areas of the Department of Health and Human Services (DHHS).

In all four agencies, the auditor-general’s team was able to exploit weaknesses and access patient data.

“The audited health services are not proactive enough, and do not take a whole‐of‐hospital approach to security that recognises that protecting patient data is not just a task for their IT staff,” the report said.

In addition, health services relied on external service providers but were “not fully aware” of the security controls that those externally-hosted platforms implemented.

“Due to the sector’s reliance on third‐party vendors, health services need to actively monitor vendor  performance to ensure that patient data is safe,” the audit found.

Victoria’s public health services have access to a set of 72 baseline cybersecurity controls developed by the DHHS’s Digital Health branch.

But, to date, “no Victorian public health service has fully implemented all 72 controls”.

“The audited health services advise that key barriers  to implementing the controls are a lack of dedicated funding for cybersecurity projects and limited staff availability,” the audit report said.

In addition, there are no penalties for non-compliance, which was likely aiding health services in slowly implementing the controls.

The health sector in Australia is consistently one of the top industry sectors to suffer reportable data breaches, according to statistics released by the Office of the Australian Information Commissioner (OAIC).

Lax access controls, passwords

The audit uncovered major problems with the way access controls were managed.

It found unused and terminated employee accounts that were still enabled, as well as a lack of any formal or regular user access reviews "to ensure only staff who need access have it."

Additionally, health services did not keep user access forms to prove that those with permissions were actually approved to hold them.

"These deficiencies mean that agencies cannot be sure that only authorised staff access patient records," the audit states.

The auditor-general found passwords that could be easily cracked, in part because some were the system default - even on administrator accounts.

"We found staff user accounts at all audited agencies with weak passwords, which were accessible using basic hacking tools,” the audit found.

“We successfully accessed administrator accounts.

“We also found that health services rarely used multi‐factor authentication (MFA), even for ICT staff and administrator accounts.  

“We identified examples where audited agencies were still using default account names and passwords on key devices, including servers.”

More to come